« Legal & Policies

Data Processing Agreement

1.1 This Data Processing Agreement is made between Physitrack PLC, a company incorporated in England and Wales, with company number 08106661, registered address 125 London Wall, London, EC2Y 5AS (“Physitrack”), and the customer (“You”) identified in the Main Agreement.

1.2 Definitions 

“Data Protection Legislation” shall mean “all applicable data protection and privacy legislation in force from time to time including without limitation the UK GDPR (the retained EU law version of the General Data Protection Regulation ((EU) 2016/679)); the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications). 

“EU P-to-C Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Four (Processor- to - Controller). 

Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable laws of the foregoing territories, to the extent such transfers are subject to such applicable laws.  

Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at: 

https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en 

(“EU SCCs”) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”). 

 

1.3 Both You and Physitrack will comply with the applicable requirements of Data Protection Legislation generally. 

 

1.4 You shall retain control of the Customer Personal Data and undertake to Physitrack that You have the legal right to disclose Customer Personal Data to Physitrack and that You have provided the Data Subjects with all appropriate notices and obtained any necessary authorisations. You shall ensure that all individuals who provide written instructions are authorised to do so. 

 

1.5 Without prejudice to the generality of paragraph 1.3 above, Physitrack shall, in relation to Customer Data: 

1.5.1. Process Your Personal Data only on Your written instructions. The scope, nature purpose and duration of the processing and Your Personal Data categories and Data Subject types are described in the below table “Data Processing Details”;  

1.5.2. keep Your Personal Data confidential and ensure its personnel are subject to a duty of confidentiality; 

1.5.3. comply with Your reasonable instructions with respect to processing Your Personal Data; 

1.5.4. Not transfer Your Personal Data outside of the UK or EEA unless, in accordance with the Data Protection Legislation. Physitrack ensures that; 

  1. the transfer is to a country approved as providing an adequate level of protection for Your Personal Data; or  
  2. there are appropriate safeguards in place for the transfer of Your Personal Data; or  
  3. one of the derogations for specific situations applies to the transfer.   

1.5.5. Physitrack ensure to assist You at Your own cost in responding to any data subject access request and to  ensure compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators; 

1.5.6. Physitrack ensures to notify You without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach or communication which relates to Your or Physitrack's compliance with the Data Protection Legislation; and 

1.5.7. maintain complete and accurate records and information to demonstrate  compliance with this Clause and allow for audits by You or Your designated auditor; and  

1.5.8. inform You if, in its opinion, an instruction infringes Data Protection Legislation. 

 

1.6 Physitrack shall ensure that they have in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of Your Personal Data and against accidental loss or destruction of, or damage to, Your Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. 

 

1.7 Insofar as the provision of the services lead to a Restricted Transfer of Your Personal 

Data, You and Physitrack hereby enter into the EU P-to-C Transfer Clauses and the UK Addendum (where applicable) on the basis that the exporter is Physitrack and the importer is You. and on the basis that: 

(a) The EU P-to-C Transfer Clauses will be completed as follows: 

  1. in clause 7, the optional docking clause will apply; 
  2. in Clause 11, the additional redress mechanism will not apply; 
  3. in Clause 14, the EEA processor will be combining personal data received from the third country-controller with personal data collected by the processor in the EEA; 
  4. Clauses 17 and 18 shall be governed by the jurisdiction of Ireland and disputes shall be resolved before the courts of the jurisdiction of Ireland;   
  5. for the purposes of Annex I to the EU P-to-C Transfer Clauses: (a) the categories of data transferred are Company Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are described in the below table “Data Processing Details”;  
  6. For the purpose of Annex II the security measures are specified at https://www.physitrack.com/information-security  which are hereby incorporated by reference. 

(b) The UK Addendum will apply as follows: 

  1. The EU P-to-C Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 1.6 (a); and 
  1. Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 1.6 (a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting "data exporter".

1.8 Physitrack shall retain personal data in accordance with the terms of its Retention Policy which can be accessed via https://www.physitrack.com/data-retention-policy. 

1.9 You undertake to inform Physitrack of any changes to the email address You have provided during the provision of Services. 

 

1.10 You acknowledge and consent generally to the appointment by Physitrack of third parties as sub-processors of Your Personal Data being processed under these Terms of Service. A current list of sub-processors can be found below in the table “Third Party Vendors (Subprocessors) that process data on behalf of Physitrack”. 

 

1.11 Physitrack confirms that a) it shall impose on all sub-processors the same data protection obligations as set out in this clause and that b) it shall remain liable for the actions of its subprocessors. 

 

1.12 Physitrack shall give You notice of the appointment of any new sub-processors and provide You with full details of the processing to be undertaken by the sub-processor, thereby giving You the opportunity to object to such appointment. If Physitrack so notifies You of any changes to sub-processors and You object to such changes, You will be entitled to terminate this Service (without liability for either party, and such termination will be deemed to be a nofault termination) if You have reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause You to be in breach of the Data Protection Legislation. 

 

1.13 The total aggregate liability of whatever nature, whether in contract, tort or otherwise, of Physitrack for any losses whatsoever and howsoever caused arising from or in any way connected with this Data Processing Agreement shall be subject to the “Limitation of Liability” clause set out in the Terms of Service. Notwithstanding the foregoing, nothing in this clause will seek to limit either party’s liability which can not be legally limited, including (but not limited to) liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation. 

 

1.14 You agree to indemnify, keep indemnified and defend at its own expense Physitrack against all costs, claims, damages or expenses incurred by Physitrack or for which Physitrack may become liable due to any failure by You or Your employees, subcontractors or agents to comply with any of its obligations under these Terms of Service and/or the Data Protection Legislation, in particular any failure by You to comply with the provisions of Clause 1.4 above. 

Data Processing Details 

Subject matter, Nature and Purpose of processing The provision of the Services to the Customer
Duration The duration of the Agreement.
Categories of Personal Data Name, gender, year of birth, telephone number (optional for patients), email address (optional for patients), government ID number (only for Swedish Customers) access code & exercise program, outcome measures, adherence data and messages feedback, IP address and timestamp of various user actions, Video call log, Video call audio, Diagnosis code, Custom exercise videos and images, App preferences E.g. preferred language, IP address and timestamp of various user actions
Categories of Data Subjects Customer's Patients who are End Users of the Platform
Data Processor Physitrack PLC
Data Controller You

Third-party vendors ( sub-processors) that process data on behalf of Physitrack 

Subprocessor Controls in place Description Data Type
ActiveCampaign
EU
GDPR-compliant, Data Processing Agreement in place We use ActiveCampaign within our Physitrack platform to streamline our email communications and customer management, both for new and existing customers. Our goal is to optimise the experience of our existing Physitrack subscribers and to provide a smooth onboarding process for new customers and users. ActiveCampaign will not process any identifiable patient data. Organisation name, first name, last name, address, contact name, contact email address, contact phone number, usage numbers from CRM
ADA
EU
GDPR-compliant, Data Processing Agreement in place We use ADA as our AI-powered support agent which automates routine inquiries, offers 24/7 support, and provides personalized assistance. Name, surname, email, IP address, account details including settings and subscription details
Amazon Web Services
Instances used based on Customer location
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place Cloud Service provider. Different AWS regions based on data residency requirements. First & last name, gender, year of birth, mobile phone, email, IP address, timestamp of various user actions, access code & exercise program, outcome measure results (if assigned), messages feedback (if enabled), video call log (if enabled), video call audio (if enabled), adherence details (if enabled), diagnosis code (if enabled), custom exercise videos and images (if added), app preferences (e.g. preferred language)
Cloudflare
USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Cloudflare for DNS and content distribution. IP Addresses & timestamps
Chargebee
EU
GDPR-compliant, Data Processing Agreement in place We use Chargebee to help manage our subscription process and invoicing. Practitioner's billing information such as name, email and payment method.
No Patient data is sent to Chargebee.
Coconut.co
USA / EU
GDPR-compliant, Data Processing Agreement in place We use Coconut to transcode all videos into web/mobile viewable formats. Coconut automatically deletes all uploaded content after 24 hours. Video featuring a patient
Data Dog
USA / EU
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Data Dog to monitor and improve the performance of our application and infrastructure. IP Addresses & timestamps
FullStory
EU (Germany)
GDPR-compliant, Data Processing Agreement in place We use FullStory as an analytics tool to help us understand how Practitioners interact with our products to improve our services. Practitioners' website and apps interactions, including events on site, clicks and scrolls. Name, email address. No Patient data is sent to FullStory.
Google Workspace
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Google Workspace to host our emails. Customer contact details and invoicing information may be sent over the email.
Helpscout
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Helpscout to process customer support emails and display our online knowledge base Name, email, IP address
Twilio
USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Twilio to send access codes via SMS to clients and send various notifications via SMS to practitioners. Mobile phone number and information shared between Practitioner and Patient
Webflow
USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Webflow to improve our marketing website design and development capabilities. Full name, email, and a choice from a survey (list of bullet points). No Patient data is sent to Webflow.
Zapier
USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Zapier to improve workflow automations across various applications. This will help us integrate data smoothly and enhance operational efficiency for our services. Zapier will not process any identifiable patient data. Organisation name, first name, last name, address, contact name, contact email address, contact phone number, usage numbers from CRM, account details including settings and subscription details. No Patient data is sent to Zapier.
Zoom Video Communications Inc.
USA / EU
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Zoom for telehealth to enhance our service capabilities, ensuring efficient, reliable, and high-quality communication. Meeting recordings and Meeting transcriptions